A study by the non-profit Honeynet Project has come up with a strange answer to the Firefox versus Internet Explorer security question.

During the experiment, conducted in May 2007, the group compared three browsers -- Internet Explorer 6 SP2, Firefox 1.5.0 and Opera 8.0.0 -- to determine whether using an alternative browser would be an effective means to reduce the risk of malware attacks.

(Note: Firefox 1.5 is no longer supported and the latest version of Microsoft's Web browser is IE 7.0. Opera's newest iteration is 9.23)

The results:

Common perception about Internet Explorer and Firefox is that Firefox is safe and Internet Explorer is unsafe. However, a review of the remote code execution vulnerabilities (primary source: SecurityFocus) that were publicly disclosed for Firefox 1.5 and Internet Explorer SP2 reveals that, in fact, more were disclosed for Firefox 1.5 indicating more the opposite is true.

This image shows known remote code execution vulnerabilities per browser:

However, when client honeypots with these browsers surfed to a list of about 30,000 known exploit servers, the URLs that resulted in a 0.5735% of successful compromises of Internet Explorer 6 SP2 did not cause a single successful attack on Firefox 1.5.0 or Opera 8.0.0.

"Particularly the results on Firefox 1.5.0 are surprising, considering the number of remote code execution vulnerabilities that were publicly disclosed for this browser and the fact that Firefox is also a popular browser," the Honeynet Project said, speculating that perhaps Firefox was never a target of those exploits.

We can only speculate why Firefox wasn’t targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

Considering that Internet Explorer 7 has been pushed as a high security update by Microsoft for several months, there is an indication that a large number of these users probably do not have automatic updates turned on. Some portion of these 38.1% that do have automatic updates turned on have probably made a conscious decision not to update to Internet Explorer 7, but rather to just accept Internet Explorer 6 patches. Nevertheless, we suspect that many simply do not have automatic updates enabled.